The issue I ran into that caused problems was the following
Puppet 2.7.14 for some reason on my environment sets the keylength by
default to 4096. F5 LTM on at least 10.1 version can not support anything
more than 2048 for both the cert on the F5 and the client cert for
authentication the LTM will allow you to add the certificate but not apply
to the SSL profile. The client ssl cert that each puppet agent sends if its
greater than 2048 will instantly receive a TCP RST, the request to the
puppet master will be still sent for catalog compile. More detail
here http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12147.html
on the SSL key issue and what is affected and not.
Additional changes were required but this is what my non-ssl (what the F5
is proxying requests) looks like:
# Apache Configuration
<VirtualHost *:18140>
ServerName puppetmaster1.example.com
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/public/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Proto "https" HTTPS=1
LogLevel error
ErrorLog "|/usr/sbin/cronolog
/var/log/httpd/puppetmaster_error_log.%Y%m%d -l
/var/log/httpd/puppetmaster_error_log"
CustomLog "|/usr/sbin/cronolog
/var/log/httpd/puppetmaster_access_log.%Y%m%d -l
/var/log/httpd/puppetmaster_access_log" combined
</VirtualHost>
The SSL port (8140) is following the standard guide for apache passenger
but with this three lines (like the non-ssl)
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
Here is what the F5 specific configuration looks like, I substituted the IP
addresses and some of the names because of my environment.
pool puppet {
lb method member least conn
monitor all gateway_icmp
members 192.168.1.10:18140 {}
}
virtual puppet {
snat automap
pool puppet
destination 192.168.1.9:8140
ip protocol tcp
rules R_PUPPETMASTERS
profiles {
http {}
puppet {
clientside
}
tcp {}
}
}
profile clientssl puppet {
defaults from clientssl
key "puppet.key"
cert "puppet.crt"
chain "puppetca.crt"
ca file "puppetca.crt"
client cert ca "puppetca.crt"
renegotiate enable
peer cert mode require
authenticate always
}
# Slightly modified iRule based off
of http://projects.puppetlabs.com/projects/puppet/wiki/Load_Balancing_F5
rule R_PUPPETMASTERS {
when HTTP_REQUEST {
HTTP::header insert "X-Forwarded-Proto" "https"
set cert_request 0
set path2 [URI::path [HTTP::uri] 2 2 ]
if { $path2 == "/certificate/" || $path2 == "/certificate_request/" } {
set cert_request 1
}
}
when HTTP_REQUEST_SEND {
if { $cert_request == 0}{
clientside {
if {[SSL::verify_result] == 0} {
HTTP::header insert "X-Client-Verify" "SUCCESS"
}
HTTP::header insert "X-Client-DN" /[X509::subject [SSL::cert 0]]
HTTP::header insert "X-SSL-Subject" /[X509::subject [SSL::cert 0]]
}
}
}
}
# end of F5 configuration
Hopefully this helps people who had similar issues that I had.
On Wednesday, July 18, 2012 3:17:34 PM UTC-4, ed209 wrote:
>
> Someone from Puppetlabs should reach out to F5 and have them create a
> deployment guide.
>
> http://www.f5.com/solutions/resources/deployment-guides.html
>
> (selfishly interested in seeing this as well).
>
>
> On Wed, Jul 18, 2012 at 1:41 AM, ollies...@googlemail.com <
> paul.seym...@barcap.com> wrote:
>
>>
>> On Tuesday, 17 July 2012 16:14:05 UTC+1, Matt wrote:
>>>
>>> Is there no one who has done this that can provide examples of how they
>>> did it?
>>
>>
>> I would if I could. Company policy and all that.
>>
>> Generated the SSL certificate with the single F5 DNS address that all the
>> clients globally will hit puppet.<domain> using puppet cert generate...
>>
>> Put these on the F5 and have SSL terminate there and pass on anything
>> /certificate/ to the pool of CA servers so they can be revoked/stored and
>> what not - although we never will. The same certs are installed on these.
>>
>> Anything without the /certificate/ regex will be passed from the F5 down
>> to the puppet master pool which will contact a central ENC and do whatever
>> it needs to do.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msg/puppet-users/-/cAYOzqHDhNAJ.
>>
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/dhvYiicJarwJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
